HIPAA: Data Trade Prosecutions on the Horizon?

Mention HIPAA (the Health Insurance Portability and Accountability Act) to a typical CEO, and boredom sets in. Many corporate leaders remain unaware of the risks of HIPAA non-compliance, but the Act includes a criminal statute that creates vast potential exposure for health care providers and other players in the health care “data trade.”

Enacted in 1996, HIPAA was meant to increase “the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to health plans, health care clearinghouses and health care providers who transmit information in connection with [financial and administrative] transactions.” South Carolina Medical Assoc. v. HHS, 327 F.3d 346, 348 (4th Cir. 2003).

To encourage the trend toward the exchange of computerized health care information, HIPAA mandated the promulgation of uniform electronic exchange standards, see 42 U.S.C. ' 1320d-2(a)(1), and “national standards to protect the security and privacy” of that information. See 68 Fed. Reg. 18895, 18896 (April 17, 2003).

'Contraband' Health Information

The criminal component? HIPAA essentially makes “protected health information” contraband in much the same way as information protected by statutes aimed at insider information, computer hacking, identity theft, credit/debit card fraud, trade secret theft and economic espionage. Buried in Title 42, this little known HIPAA statute provides that a person who knowingly and in violation of this part:

• uses or causes to be used a unique health identifier;
• obtains individually identifiable health information relating to an individual; or
• discloses individually identifiable health information to another person … shall be … fined not more than $50,000, imprisoned not more than 1 year, or both … 42 U.S.C. ' 1320d-6.

“Individually identifiable health information” (protected health information or PHI for short) includes demographic and other information collected from an individual by a health care provider or plan that relates to the “health, condition, care, or payment for care of that individual and which either identifies that individual or from which there is a reasonable basis to believe that individual can be identified.” ' 1320d(6). If the crime is committed under false pretenses, maximum penalties increase to 5 years in jail and a $100,000 fine. If committed with the intent to “sell, transfer, or use individually identifiable health information for commercial advantage” or “personal gain,” maximum penalties are further upped to 10 years in jail and a $250,000 fine. Id. A lenient civil enforcement provision also was enacted. It imposes a $100 penalty per violation, capped at $25,000 for identical violations during a calendar year. 42 U.S.C. ' 1320d-5(a)(1). The civil provision also exempts those who did not reasonably know that they had violated the Act and those who failed to comply due to a reasonable cause and who promptly cure. ' 1320d-5(b)(2), (3).

The 'Data Trade'

Massive amounts of computerized patient health care information are generated by health care providers and health benefit plans. Providers and plans in turn do business with data clearinghouses, pharmacy benefits managers (PBMs) and commercial claims processors. The health care “data trade” refers to the acquisition from one or more of these “downstream” data handlers of large amounts of patient health information, which is then aggregated, stored, analyzed and held for commercial sale. Buyers of this aggregated data use it for everything from research or marketing to insurance underwriting.

The trade is enormous. One company boasts on its Web site that it has “developed the largest commercially available database of integrated outcomes information … that includes … the complete record of medical and pharmaceutical services provided to more than 20 million patients from over 40 health plans.”

Criminal Liability Through 'Business Associates'

HIPAA regulates health care providers, plans, and clearinghouses, called “covered entities” (CEs), which transmit health information in electronic form. 42 U.S.C. '' 1320d-1(a), 1320d(2)-(5). But the regulations promulgated under HIPAA also cover “business associates” of CEs. Business associates may receive PHI from a CE solely for the purpose of providing processing, actuarial, data aggregation or other services to or on behalf of that CE. Id.; 65 Fed. Reg. 82642, 82475 (Dec. 28, 2000). Any downstream data handler working with a CE could be considered a “business associate.” 45 ' .F.R.160.103.

The business associate and the CE must enter into a contract that spells out the uses and disclosures of PHI that the business associate may undertake, and the safeguards to be implemented to protect this information. 45 C.F.R. ''164.308, 164.314. In the case of a business associate providing “data aggregation” services to a CE, HHS intends that the business associate receive PHI from several CEs with which it has relationships “in order to permit the creation of data for analyses [eg, quality assurance and comparative analysis] that relate to the health care operations of the respective covered entities.” 65 Fed. Reg. 82642, 82475 (Dec. 28, 2000) (emphasis added). In other words, HHS may take the position that data aggregation by a business associate must be of some use or relate to the CE.

A business associate may use, disclose or sell PHI to third parties further downstream only if it is “de-identified,” or scrubbed of all characteristics that might be used to identify the patient. 45 C.F.R. '' 164.501, 164.502(d). The CE does not have to monitor its business associate to ensure compliance with the contract. 65 Fed. Reg. 82642, 82785 (Dec. 28, 2000). However, the CE must investigate “substantial and credible evidence” of a contract violation and act upon any knowledge of a violation, ie, cure or terminate the contract. Id. at 82505; 45 C.F.R. '' 164.504(e); 164.530(f). “Knowledge” is to be construed consistent with “common principles of law that dictate when knowledge can be attributed to a corporate entity.” 67 Fed. Reg. 53182, 53253 (Aug. 14, 2002). There's the rub. A carelessly drafted business associate contract, or reckless disregard of what the business associate actually is doing with PHI, could expose the covered health care entity to criminal (and civil) sanctions.

Dual Purpose Contracts

Take this example. Many data handlers seek to impose form business associate contracts upon CE providers. Suppose that contract states that, for a set fee, the data handler will process the CE provider's claims for payment and also perform data aggregation analyses. Assume that the providers receive these data analysis reports but actually have no use for them, or, worse, get no reports at all. Finally assume that the fee for the claims processing work is discounted to reflect the proprietary value to the handler of the data that it is receiving.

Arguably, a business associate ought to be receiving PHI only for services it performs for or on behalf of the CE. If the aggregation service is not received or used by the CE, the CE's provision of PHI to the handler may stand outside of the business associate relationship. The CE might be found to have sold PHI for “commercial advantage” or “gain” in violation of the HIPAA criminal statute. If the handler does a poor job of de-identifying the PHI, and passes it further downstream to a buyer, the problem is compounded.

Unresolved Issues

As with many new criminal statutes, issues and questions abound:

• The statute appears to apply on its face to CEs. The government presumably will argue that business associates and downstream data handlers may also suffer criminal exposure under HIPAA through aiding and abetting, accessory or conspiracy theories. Depending on their use of the PHI, associates and handlers could also face stand-alone exposure under, for example, various identity theft statutes. See 18 U.S.C. ' 1028; 42 U.S.C. ' 408.
• In this arcane regulatory context, does “knowingly” really cover everything but accidents and mistakes, or does it require proof of some higher state of mind, such as willfulness? See Bryan v. United States, 524 U.S. 184 (1998).
• What is the unit of prosecution? If it turns on the wrongful disclosure of each patient's PHI, then a single data trade could involve tens of thousands of potential counts and grab the headlines with staggering maximum penalties.
• No federal sentencing guideline has been implemented for this statute. By analogy to the identity theft guideline, assuming a small data trade (just over 50 individuals) and a two-level upward departure for a “substantial invasion of a privacy interest,” a defendant would face at least a Zone C 10-16 month imprisonment range. U.S.S.G. ' 2B1.1 and Application Note 15(A)(ii).
• Will defense lawyers be able to use the civil-penalty exemptions, ' 1320d-5(b)(2), (3), as a persuasive analogy for exemption or leniency on the criminal side?

Conclusion

New criminal laws beget new prosecutions after a period of prosecutor and agent education, Department of Justice policy guidance, and media coverage of some egregious violation. CE compliance and privacy officers should pay close attention to the terms and pricing of any agreement with data handlers. CEs should receive assurances that the data will be used only for legitimate claims processing or transmission, and not held for use by or sale to third parties. Alternatively, they should insist on contract provisions that limit data aggregation to the use or benefit of the contracting CE.

HHS Refers HIPAA Breaches to Justice

The agency charged with investigating breaches of the federal privacy regulation has turned over to the Department of Justice for possible criminal prosecution complaints alleging egregious breaches of the rule, according to a senior official with the Health and Human Services Office for Civil Rights. Speaking at the Seventh Annual HIPAA Summit, held last month in Baltimore. Susan McAndrew, OCR's senior advisor for HIPAA privacy policy, told conferees that when her agency turns these cases over, “clearly these are really bad guys.” Issued under the administrative simplification provisions of the Health Insurance Portability and Accountability Act, compliance with the privacy rule was mandated for most covered entities ' providers, payers, and clearinghouses ' by April 14, 2003. More information about the summit is at http://www.hipaasummit.com/.

Mention HIPAA (the Health Insurance Portability and Accountability Act) to a typical CEO, and boredom sets in. Many corporate leaders remain unaware of the risks of HIPAA non-compliance, but the Act includes a criminal statute that creates vast potential exposure for health care providers and other players in the health care “data trade.”

Enacted in 1996, HIPAA was meant to increase “the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to health plans, health care clearinghouses and health care providers who transmit information in connection with [financial and administrative] transactions.” South Carolina Medical Assoc. v. HHS , 327 F.3d 346, 348 (4th Cir. 2003).

To encourage the trend toward the exchange of computerized health care information, HIPAA mandated the promulgation of uniform electronic exchange standards, see 42 U.S.C. ' 1320d-2(a)(1), and “national standards to protect the security and privacy” of that information. See 68 Fed. Reg. 18895, 18896 (April 17, 2003).

'Contraband' Health Information

The criminal component? HIPAA essentially makes “protected health information” contraband in much the same way as information protected by statutes aimed at insider information, computer hacking, identity theft, credit/debit card fraud, trade secret theft and economic espionage. Buried in Title 42, this little known HIPAA statute provides that a person who knowingly and in violation of this part:

• uses or causes to be used a unique health identifier;
• obtains individually identifiable health information relating to an individual; or
• discloses individually identifiable health information to another person … shall be … fined not more than $50,000, imprisoned not more than 1 year, or both … 42 U.S.C. ' 1320d-6.

“Individually identifiable health information” (protected health information or PHI for short) includes demographic and other information collected from an individual by a health care provider or plan that relates to the “health, condition, care, or payment for care of that individual and which either identifies that individual or from which there is a reasonable basis to believe that individual can be identified.” ' 1320d(6). If the crime is committed under false pretenses, maximum penalties increase to 5 years in jail and a $100,000 fine. If committed with the intent to “sell, transfer, or use individually identifiable health information for commercial advantage” or “personal gain,” maximum penalties are further upped to 10 years in jail and a $250,000 fine. Id. A lenient civil enforcement provision also was enacted. It imposes a $100 penalty per violation, capped at $25,000 for identical violations during a calendar year. 42 U.S.C. ' 1320d-5(a)(1). The civil provision also exempts those who did not reasonably know that they had violated the Act and those who failed to comply due to a reasonable cause and who promptly cure. ' 1320d-5(b)(2), (3).

The 'Data Trade'

Massive amounts of computerized patient health care information are generated by health care providers and health benefit plans. Providers and plans in turn do business with data clearinghouses, pharmacy benefits managers (PBMs) and commercial claims processors. The health care “data trade” refers to the acquisition from one or more of these “downstream” data handlers of large amounts of patient health information, which is then aggregated, stored, analyzed and held for commercial sale. Buyers of this aggregated data use it for everything from research or marketing to insurance underwriting.

The trade is enormous. One company boasts on its Web site that it has “developed the largest commercially available database of integrated outcomes information … that includes … the complete record of medical and pharmaceutical services provided to more than 20 million patients from over 40 health plans.”

Criminal Liability Through 'Business Associates'

HIPAA regulates health care providers, plans, and clearinghouses, called “covered entities” (CEs), which transmit health information in electronic form. 42 U.S.C. '' 1320d-1(a), 1320d(2)-(5). But the regulations promulgated under HIPAA also cover “business associates” of CEs. Business associates may receive PHI from a CE solely for the purpose of providing processing, actuarial, data aggregation or other services to or on behalf of that CE. Id.; 65 Fed. Reg. 82642, 82475 (Dec. 28, 2000). Any downstream data handler working with a CE could be considered a “business associate.” 45 ' .F.R.160.103.

The business associate and the CE must enter into a contract that spells out the uses and disclosures of PHI that the business associate may undertake, and the safeguards to be implemented to protect this information. 45 C.F.R. ''164.308, 164.314. In the case of a business associate providing “data aggregation” services to a CE, HHS intends that the business associate receive PHI from several CEs with which it has relationships “in order to permit the creation of data for analyses [eg, quality assurance and comparative analysis] that relate to the health care operations of the respective covered entities.” 65 Fed. Reg. 82642, 82475 (Dec. 28, 2000) (emphasis added). In other words, HHS may take the position that data aggregation by a business associate must be of some use or relate to the CE.

A business associate may use, disclose or sell PHI to third parties further downstream only if it is “de-identified,” or scrubbed of all characteristics that might be used to identify the patient. 45 C.F.R. '' 164.501, 164.502(d). The CE does not have to monitor its business associate to ensure compliance with the contract. 65 Fed. Reg. 82642, 82785 (Dec. 28, 2000). However, the CE must investigate “substantial and credible evidence” of a contract violation and act upon any knowledge of a violation, ie, cure or terminate the contract. Id. at 82505; 45 C.F.R. '' 164.504(e); 164.530(f). “Knowledge” is to be construed consistent with “common principles of law that dictate when knowledge can be attributed to a corporate entity.” 67 Fed. Reg. 53182, 53253 (Aug. 14, 2002). There's the rub. A carelessly drafted business associate contract, or reckless disregard of what the business associate actually is doing with PHI, could expose the covered health care entity to criminal (and civil) sanctions.

Dual Purpose Contracts

Take this example. Many data handlers seek to impose form business associate contracts upon CE providers. Suppose that contract states that, for a set fee, the data handler will process the CE provider's claims for payment and also perform data aggregation analyses. Assume that the providers receive these data analysis reports but actually have no use for them, or, worse, get no reports at all. Finally assume that the fee for the claims processing work is discounted to reflect the proprietary value to the handler of the data that it is receiving.

Arguably, a business associate ought to be receiving PHI only for services it performs for or on behalf of the CE. If the aggregation service is not received or used by the CE, the CE's provision of PHI to the handler may stand outside of the business associate relationship. The CE might be found to have sold PHI for “commercial advantage” or “gain” in violation of the HIPAA criminal statute. If the handler does a poor job of de-identifying the PHI, and passes it further downstream to a buyer, the problem is compounded.

Unresolved Issues

As with many new criminal statutes, issues and questions abound:

• The statute appears to apply on its face to CEs. The government presumably will argue that business associates and downstream data handlers may also suffer criminal exposure under HIPAA through aiding and abetting, accessory or conspiracy theories. Depending on their use of the PHI, associates and handlers could also face stand-alone exposure under, for example, various identity theft statutes. See 18 U.S.C. ' 1028; 42 U.S.C. ' 408.
• In this arcane regulatory context, does “knowingly” really cover everything but accidents and mistakes, or does it require proof of some higher state of mind, such as willfulness? See Bryan v. United States , 524 U.S. 184 (1998).
• What is the unit of prosecution? If it turns on the wrongful disclosure of each patient's PHI, then a single data trade could involve tens of thousands of potential counts and grab the headlines with staggering maximum penalties.
• No federal sentencing guideline has been implemented for this statute. By analogy to the identity theft guideline, assuming a small data trade (just over 50 individuals) and a two-level upward departure for a “substantial invasion of a privacy interest,” a defendant would face at least a Zone C 10-16 month imprisonment range. U.S.S.G. ' 2B1.1 and Application Note 15(A)(ii).
• Will defense lawyers be able to use the civil-penalty exemptions, ' 1320d-5(b)(2), (3), as a persuasive analogy for exemption or leniency on the criminal side?

Conclusion

New criminal laws beget new prosecutions after a period of prosecutor and agent education, Department of Justice policy guidance, and media coverage of some egregious violation. CE compliance and privacy officers should pay close attention to the terms and pricing of any agreement with data handlers. CEs should receive assurances that the data will be used only for legitimate claims processing or transmission, and not held for use by or sale to third parties. Alternatively, they should insist on contract provisions that limit data aggregation to the use or benefit of the contracting CE.

HHS Refers HIPAA Breaches to Justice

The agency charged with investigating breaches of the federal privacy regulation has turned over to the Department of Justice for possible criminal prosecution complaints alleging egregious breaches of the rule, according to a senior official with the Health and Human Services Office for Civil Rights. Speaking at the Seventh Annual HIPAA Summit, held last month in Baltimore. Susan McAndrew, OCR's senior advisor for HIPAA privacy policy, told conferees that when her agency turns these cases over, “clearly these are really bad guys.” Issued under the administrative simplification provisions of the Health Insurance Portability and Accountability Act, compliance with the privacy rule was mandated for most covered entities ' providers, payers, and clearinghouses ' by April 14, 2003. More information about the summit is at http://www.hipaasummit.com/.